Increasing reliance on online identity verification and remote access in hiring and onboarding processes raises the risk of targeting by threat actors who pose as remote IT workers to gain trusted access, generate revenue, and enable follow-on activity: https://msft.it/6048v8U6j Like legitimate job applicants, threat actors like Jasper Sleet apply, get screened, and even onboarded through HR SaaS platforms. Since 2020, Microsoft has tracked a global operation in which skilled IT workers apply for remote job opportunities: https://msft.it/6040v8U6e The latest blog from Microsoft Defender Research Team shows how signals from HR SaaS platforms can be used with cross-domain visibility in Microsoft Defender XDR and Microsoft Defender for Cloud Apps to detect and hunt for suspicious activity from potential hires or newly onboarded employees.
Microsoft Threat Intelligence
Computer and Network Security
Redmond, Washington 115,861 followers
We are Microsoft's global network of security experts. Follow for security research and threat intelligence.
About us
The Microsoft Threat Intelligence community is made up of more than 10,000 world-class experts, security researchers, analysts, and threat hunters analyzing 78 trillion signals daily to discover threats and deliver timely and hyper-relevant insight to protect customers. Our research covers a broad spectrum of threats, including threat actors and the infrastructure that enables them, as well as the tools and techniques they use in their attacks.
- Website
-
https://aka.ms/threatintelblog
External link for Microsoft Threat Intelligence
- Industry
- Computer and Network Security
- Company size
- 10,001+ employees
- Headquarters
- Redmond, Washington
- Specialties
- Computer & network security, Information technology & services, Cybersecurity, Threat intelligence, Threat protection, and Security
Updates
-
Attackers are using cross-tenant helpdesk impersonation to trick users into granting remote access. Read this Microsoft Defender Research blog to learn how these attacks work and how layered defenses and user awareness reduce risk: https://msft.it/6040v6Spy
-
In identity-based intrusions, threat actors seek to compromise domain-level credentials on first access and abuse them almost immediately, highlighting the importance of disrupting and containing credential-based attacks as they happen. Proactive shielding in Microsoft Defender’s automatic attack disruption capability uses high-confidence signals of credential theft activity to proactively restrict accounts that might have been exposed, helping stop attacks before stolen credentials are fully operationalized. The latest blog from Microsoft Defender Research uses a case study to demonstrate how proactive shielding protects organizations in the real world. Read: https://msft.it/6043v6D29
-
Microsoft identified a campaign by North Korean state actor Sapphire Sleet employing new combinations of macOS-focused execution patterns and techniques, enabling the threat actor to compromise systems through social engineering rather than software exploitation. https://msft.it/6041Qhnhx This activity demonstrates how convincing user prompts and trusted system utilities could be misused to operate outside traditional macOS security protections, enabling credential theft, persistent backdoor access, and large‑scale exfiltration of sensitive data, including cryptocurrency-related information. As part of responsible disclosure, Microsoft shared details of this activity with Apple. Apple has since implemented updates to help detect and block the malware and infrastructure associated with this campaign. Get Microsoft Defender detections, mitigation, and hunting guidance from this Microsoft Threat Intelligence blog post.
-
The April 2026 security updates are available:
Security updates for April 2026 are now available. Details are here: https://msft.it/6018SZEg0 #PatchTuesday
-
-
Microsoft Threat Intelligence reposted this
Tax deadline is coming up. So are the phishing emails. Like the IRS reaching out. Maybe think twice? Get a rundown of tax-themed phishing and malware campaigns to look out for, and know how to stay prepared: https://msft.it/6042Q7Ozm
-
-
Microsoft Defender Research discovered an intent redirection vulnerability in a widely used third-party Android SDK that enabled apps on the same device to bypass Android sandbox protections and gain unauthorized access to private data. https://msft.it/6041QfVtR We notified EngageLab and the Android Security Team and collaborated to validate the issue, and a fix for the vulnerability was released by EngageLab. Apps detected using vulnerable versions of the SDK have also been removed from Google Play. High‑value apps like mobile wallets are at risk when third-party SDK integration expose exported components that could be reached by other apps. As mobile apps increasingly rely on upstream libraries, integration flaws can expand the attack surface, potentially introducing supply‑chain risk.
-
Microsoft researchers observed an emerging, financially motivated threat actor that Microsoft tracks as Storm-2755 conducting “payroll pirate” attacks targeting Canadian employees. The campaign compromises user accounts to gain unauthorized access to internal HR and payroll systems and redirect salary payments to attacker‑controlled accounts. https://msft.it/6046Q4lmK By leveraging SEO poisoning and malvertising to deliver adversary‑in‑the‑middle (AiTM) phishing infrastructure, the actor hijacks authenticated sessions and bypasses legacy MFA protections while blending into legitimate user activity to maintain persistence and evade detection. Microsoft Incident Response – Detection and Response Team (DART) is publishing this research to share observed tactics, techniques, and procedures (TTPs) along with mitigation, detection, and hunting guidance to help organizations investigate and defend against this campaign and similar AiTM‑enabled payroll pirate attacks.
-
High-value assets like domain controllers, identity infrastructure, and business-critical web servers are frequent targets in sophisticated attacks. To expand differentiated protections for these assets, Microsoft Defender uses device role and attack path context to block high-impact threats on Tier 0 systems. https://msft.it/6043Q43F9 By enriching endpoint signals with critical asset intelligence from Microsoft Security Exposure Management, Defender elevates behavior that might appear as weak signals into high-confidence prevention to stop credential theft, block web shells, and disrupt attack paths where blast radius is greatest. Read this blog from the Microsoft Defender Research Team to learn how high-value protection works, get real-world protection scenarios, and validate protections in your environment:
-
Cynthia Kaiser, Senior Vice President of the Ransomware Research Center at Halcyon and former FBI deputy assistant director, joins Sherrod DeGrippo on this episode of the Microsoft Threat Intelligence Podcast to discuss the current landscape of ransomware. https://msft.it/6048QN01w The highly organized ransomware ecosystem enables developers, affiliates, brokers, and entire marketplaces to operate at a scale and speed that leaves little room for error. Attacks are often timed for off-hours and leverage virtualization to compromise environments quickly. Operations are structured for profit, with criminal groups able to quickly replace low-level actors and retain stolen data even after organizations recover. The effects are especially visible in sectors like healthcare, where disruptions can lead to extended downtime and, in some cases, patient harm. In response, law enforcement and security professionals continue to focus on disrupting ransomware ecosystems and targeting key operators to create more lasting impact. Hear Cynthia Kaiser’s perspective on ongoing strategies and lessons learned in this episode.
